The Federal Trade Commission and Facebook are reportedly in the final stages of negotiating a settlement of charges that the company violated its 2011 privacy consent decree. These stem from the Cambridge Analytica debacle — in which a voter profiling company working for Donald Trump was able to access Facebook profiles on tens of millions of users without their permission — and perhaps as well from a series of data breaches, failures to protect personal data and more.
The penalty is on track to look tough — but not really hurt the company. Even more important, it is unlikely either to force the company to better protect and respect users, nor to break up or restrain Facebook’s overweening power.
Public reports suggest the company will be hit with a fine on the order of $5 billion and perhaps be required to create a privacy oversight board. It’s possible that some system will be imposed that aims to hold Facebook CEO Mark Zuckerberg personally accountable for privacy policy.
Unfortunately, while $5 billion is a very substantial penalty, it’s just not that big a deal for Facebook. When the company announced it expected a fine in that neighborhood, its share price actually went up!
Holding Mark Zuckerberg personally liable for any future privacy infractions at Facebook is an excellent idea, but it has major limitations. No matter what, regulators remain sympathetic to the notion that CEOs can’t know everything that happens inside their company, and they tend not to appreciate that CEOs are responsible for setting corporate norms for complying with the law.
A privacy oversight committee is desirable but also not likely to make much of a difference. Facebook was already operating under a consent decree — which it violated in epic fashion. Additional compliance systems are not likely to do the trick. There is an extensive track record of monitors appointed to ensure compliance in the wake of convictions or settlements, and the record is not good.
If the FTC actually aims to crack down on Facebook to prevent future abuses, the settlement should include prohibitions on specific anti-privacy practices. Examples of the kind of demands the FTC should make include:
—Limits on Facebook’s ability to share user data with outside parties.
—Prohibitions on Facebook’s tracking of users when they are accessing online content or services outside of Facebook.
—A ban on users functioning as de facto marketers to their friends unless they affirmatively aim to do so.
Just as important, the FTC should prevent Facebook from expanding its market power. Facebook’s size and scope make it difficult for users to avoid using the company’s products and escaping from its surveillance and privacy intrusions. The problem is not just a lack of alternatives to Facebook, but the network effects of its monopolistic position.
Refusing to use Facebook means declining social media engagement with most of a person’s friends, acquaintances and colleagues. It is as if choosing an alternative phone service to Verizon meant giving up the possibility of calling most people.
Given that backdrop and Facebook’s repeated failure to respect user privacy, the FTC ideally should act to break up Facebook, as one of the company’s co-founders urges. Recognizing that such action will not come as part of a settlement agreement, the FTC should still insist on structural remedies that prevent Facebook from consolidating further its market power and give users better alternatives than the Facebook privacy regime. These should include:
—A prohibition on the merger of Facebook Messenger, WhatsApp and Instagram messages, so that Facebook cannot force users to use its instant messaging services.
—A prohibition or at minimum lengthy moratorium on Facebook acquisitions, to prevent the company from swallowing future competitors, including competitors who may choose to compete on privacy-related dimensions.
—Obligations for interoperability so that users can rely on services with different features and privacy protections, and still communicate with friends and associates on Facebook properties.
Facebook is an important part of the lives its more than 200 million users in the United States (and more than 2 billion globally). It has delivered important services and brought joy to many, but it also has built a business model that rests far too heavily on deceit and manipulation of those users. It has failed, repeatedly and on grand scale, to protect users’ privacy.
For all of its repeated apologies and promises to turn over a new leaf, there is no reason to expect Facebook to reform itself. This is the Federal Trade Commission’s moment to prove it is up to the job — not just to make headlines with a large but unimpactful fine, but to force real change on the social media colossus.